Annual Internal Audit Report and Opinion 2017/18

 

 

[i]

 

 

July 2018


Maidstone Borough Council


Introduction

1.             The Institute of Internal Audit (IIA) gives the mission of internal audit: to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight.

2.             The mission and its associated code of ethics and Standards govern over 200,000 professionals in businesses and organisations around the world.  Within UK Local Government, authority for internal audit stems from the Accounts and Audit Regulations 2015.  The Regulations state services must follow the Public Sector Internal Audit Standards – an adapted and more demanding version of the global standards.  Those Standards set demands for our annual reporting:

Independence of internal audit

3.             Mid Kent Audit works as a shared service between Ashford, Maidstone, Swale and Tunbridge Wells Borough Councils. A Shared Service Board including representatives from each council supervises our work based on our collaboration agreement.

4.             Within Maidstone BC during 2017/18 we have continued to enjoy complete and unfettered access to officers and records to complete our work.  On no occasion have officers or Members sought or gained undue influence over our scope or findings.

5.             I confirm we have worked with full independence as defined in our Audit Charter and Standard 1100.

Head of Internal Audit Opinion

Scope and time period

6.             I provide this opinion to Maidstone Borough Council (the Council) to include in its Annual Governance Statement, as published alongside its financial statements for the year ended 31 March 2018.

Scope limits

7.             The role of internal audit need not cover only assurance and may extend towards consultancy, advice and strategic support.  We have agreed with the Audit, Governance & Standards Committee (the Committee) the overall scope of our work in our Internal Audit Charter and the specific scope of our work this year in our approved Internal Audit & Assurance Plan 2017/18.

8.             However our audit plan cannot address all risks across the Council and represents our best use of inevitably limited capacity.  In approving the plan, the Committee recognised this limit.

9.             Beyond this general disclaimer, I have no specific limits of our scope to report to the Committee.

Consideration of work completed and reliance on other agencies

10.         I have drawn my opinion from the work completed during the year. I first set out the work in the plan approved by Members in March 2017 and later developed it in line with emerging risks and priorities.  I set out in this report the extent and findings from our work in greater detail. 

11.         In completing my work I have placed no specific reliance on external sources.

12.         The rest of this report summarises the work completed in delivering the internal audit plan through 2017/18.

13.         My opinion draws on the work carried out by Mid Kent Audit during the year on the effectiveness of managing those risks identified by the Council and covered by the audit programme or associated assurance.  Not all risks fall within our work programme. For risks not directly examined I am satisfied an assurance approach exists to provide reasonable assurance on effective management.

Risk and control

14.         The Council is responsible for ensuring it undertakes its business within the law and proper practices. The Council must also ensure it safeguards and properly accounts for its resources, using them economically, efficiently and effectively.  The Council also has a duty under the Local Government Act 1999 to seek continuous improvement in exercising its roles.

15.         The Council has described key parts of its internal control and risk management within the Corporate Governance Local Code and the Risk Management framework.

16.         Organisations design internal controls to manage to an acceptable level rather than remove the risk of failing to achieve objectives.  So, internal controls can only provide reasonable and not complete assurance of effectiveness.  Designing internal controls is a continuing exercise designed to identify and set priorities around the risks to the Council achieving its objectives. The work of designing internal controls also evaluates the likelihood of those risks coming about and managing the impact should they do so.

17.         In completing our work we have considered the control environment and objectives in place at the Council.

Conformance with standards

18.         Mid Kent Audit has conducted its work following the Standards and good practice as represented in our internal quality assurance. This includes include working to an agreed audit manual with satisfactory supervision and review.

19.         Our annual review confirms the service remains in full conformance with the Standards, as advised by our external quality assessment from the Institute of Internal Audit in 2015. We are next due an external quality assessment by 1 April 2020.

20.         We describe later in this report our efforts towards continuing improvement and the results of our Quality and Improvement work.


 

Overall conclusion

Internal Control

21.         I am satisfied that during the year ended 31 March 2018 the Council managed its internal controls to offer sound assurance on control effectiveness.

Governance

22.         I am satisfied that Council’s corporate governance arrangements for the year ended 31 March 2018 comply in all material respects with guidance on proper practices[1].

Risk Management

23.         I am satisfied the risk management arrangements at the Council for the year ended 31 March 2018 are effective and provide sound assurance.

Other Matters

24.         I have no other matters to report as part of my opinion.

 

Rich Clarke CPFA ACFS
Head of Audit Partnership

18 July 2018


 

Internal Control

25.         Internal control is how the Council ensures achievement of its objectives with effectiveness and efficiency; achieving reliable financial reporting and compliance with laws, regulations and policies.  It covers financial and non-financial controls. 

26.         We gain audit evidence to support the Head of Audit opinion on internal control principally through completing the reviews set out within our agreed audit plan.

Maidstone Audit Plan Work 2017/18

27.         This Committee approved our Annual Audit & Assurance Plan 2017/18 in March 2017.  The plan set out an intended number of days devoted to each of various tasks.  We began work on the plan during April 2018 and have now completed our work.

28.         The table below shows progress in total number of days delivered against the plan.


Category

2017/18 Plan Days

Outturn at Jun-18

Balance

2017/18 Assurance Projects

320

281

-39

Risk Management

40

48

+8

Counter Fraud Support

40

39

-1

Member Support

20

20

0

Recommendation Follow-Up

40

37

-3

Audit Planning

10

11

+1

Contingency and Consultancy

50

65

+15

Total

530

501

-29

Concluding 2016/17 projects

0

67

n/a

 

29.         We achieved final delivery of around 501 audit days.  This is 95% of planned days and slightly ahead of the days forecast outturn noted in our interim report (483 days).

30.         We detail the specifics, and results, of this progress further within this report.


Results of Audit Work

31.         The tables below summarise audit project findings (* = days split between partners, MBC only shown).

Completed Assurance Projects

 

Title

Plan Days

Actual Days

Report Issue

Assurance Rating

Notes

2016/17 Assurance Projects Completed After Issue of 2016/17 opinion

 

Payroll

*5

*6

Jun-17

Strong

We summarised these reviews in our interim reports so have not repeated the information here.

 

Crematorium

15

15

Jun-17

Sound

 

ICT Controls & Access

*8

*5

Jun-17

Sound

 

General Ledger

15

17

Jul-17

Sound

 

Corporate Governance: Transparency Review

*5

*5

Jul-17

N/A

 

Public Health

15

13

Aug-17

Sound

 

Accounts Payable

10

13

Aug-17

Sound

Planned 2017/18 Assurance Projects Completed

I

Business Rates

*8

*9

Oct-17

Strong

 

II

IT Disaster Recovery

*6

*5

Oct-17

Sound

 

III

Debt Recovery Service

*5

*6

Oct-17

Strong

 

IV

Payroll

*8

*9

Nov-17

Sound

 

V

Land Charges

*5

*9

Dec-17

Weak

 

VI

Business Terrace

15

15

Dec-17

Sound

 

VII

Subsidiary Company Governance

10

13

Dec-17

N/A

 

VIII

Procurement

15

20

Jan-18

Weak

 

IX

Home Assistance Grants

12

16

Feb-18

Sound

 

X

Accounts Receivable

10

15

Mar-18

Weak

 

XI

Homelessness

15

16

Mar-18

Sound

 

XII

Food Safety

*5

*6

Apr-18

Sound

 

XIII

Emergency Planning

15

19

Apr-18

Sound

 

XIV

Parking Income

*10

*9

Apr-18

Sound

 

XV

Promotion & Marketing

12

14

May-18

Sound

 

XVI

Insurance

12

13

May-18

Sound

 

XVII

Legal Services

*5

*6

Jun-18

Sound

 

XVIII

Street Scene Provision

12

15

Jul-18

Sound

 

XIX

Member Training

12

15

Jul-18

Sound

 

XX

HR Policy Compliance

*7

12

Jul-18

Sound

 

XXI

Complaints

12

18

Jul-18

Sound

 

Planned 2017/18 Assurance Projects In Progress

 

Animal Welfare

12

8

Draft report prepared and being discussed with officers.  We will include the summary findings in our interim report later this year.

 

Contract Management

15

9

Fieldwork nearing completion.  We include a summary of issues emerging from the work at XXII. We will include the summary findings in our interim report.

Assurance Projects Added to the 2017/18 Plan and Completed

 

Mid Kent Audit Mid Term Review

n/a

*4

Aug-17

N/A

In interim report, not repeated here.

 


Assurance Projects Removed from 2017/18 Plan

32.         For conformance with standards and good practice, we keep our audit plan flexible to changing circumstances and risks across the authority over the year.  During 2017/18, this meant adding some reviews to the schedule as noted above. We chose to postpone some reviews, usually after approaches from Council officers.  The reasons vary, and we detail the specifics below.  In each case, and in total, we remain satisfied we have enough assurance to offer a robust overall opinion.

Information Security

33.         Our original planned scope referred to assessing compliance with the then draft Computer Use Policy, then expected to launch imminently.  However, following further consultation on the draft policy, the final did not appear until June 2018 and so we could not undertake an audit examining its impact.

34.         We considered instead undertaking a broader review of information security rather than examining a specific policy.  We reviewed network security during March 2017 and delivered a positive assurance rating.  During 2017/18 we entered an arrangement managed by LB Croydon (and reported to Members in our interim report) that gave us access to specialist audit support at competitive rates.  In consultation with the service, we took the view the specialist work would be more helpful than a second general review in such a short gap.  We have this specialist review on the 2018/19 audit plan.

Data Protection

35.         We focussed our work this year on providing support through the Information Governance Group as the Council worked to ready itself for new Data Protection laws.  We have a review that will examine compliance as part of our 2018/19 plan.

Building Control, Cemetery & Workforce Planning

36.         We adjusted the plan during the year to take account of additional investigative and consultative work, as well as audit resource availability.  We considered these areas to have relatively lower risk and so have postponed the work to future audit years.


I: Business Rates – Valuations, Liability, Billing and Write Offs (October 2017)

37.         Our opinion based on our audit work is that the Mid Kent Revenues and Benefits has Strong controls in place to ensure that Business Rates (valuation, liability, billing and write offs) are effectively administrated.

38.         Our review found only minor changes to the Business Rates system since we reviewed it in June 2015. These changes have not affected the overall effective design and operation of the system, and our testing confirms that Business Rates process is working effectively.

39.         From our testing, we are able to confirm that the Mid Kent Revenue and Benefits section has well established procedures in place to ensure that accurate valuation, liability and billing records are being maintained.

40.         Similarly, our testing of write offs confirmed that there are established procedures for the writing off of irrecoverable debts, in accordance with each Council’s Financial Procedure Rules.

41.         Since completing the review, the Council has acted to fulfil the recommendation in line with the agreed timetable. 

II: IT Disaster Recovery (October 2017)

42.         Our opinion based on our audit work is that the ICT shared service has Sound controls in place to manage its Disaster Recovery (DR) arrangements.

43.         The service has well designed arrangements to allow effective response to a disaster with prompt service restoration.  Documentation is clear with well-considered roles plus comprehensive backup arrangements, secure communication and regular testing.  However, we found some minor instances of documentation falling behind developments in wider business continuity that varied between the partner authorities.  The service holds significant experience and expertise including offering advice to other authorities, but we identified opportunities to better document and manage that resource.

44.         Since completing the review, Mid Kent ICT has acted to fulfil recommendations in line with the agreed timetable.  At year end all recommendations are complete.

III: Debt Recovery Service (October 2017)

45.         Our opinion based on our audit work is that the Debt Recovery Service has Strong controls in place over the administration and management of enforcement cases and receipting and banking of enforcement income. 

46.         We found that there are sufficient procedures in place for the administration and management of enforcement cases. Our testing confirmed that enforcement action is taken in accordance with agreed procedures and fees and charges are applied in accordance with regulations. However, we identified a potential improvement in how data is transferred and stored between the partner authorities and the service.

47.         Our testing established that financial controls, including receipting, banking and reconciliations, are operating effectively and as designed, and the partner authorities are accurately and promptly paid. However, we identified a potential risk in the when updating enforcement cases with payments received due to manual input.

IV: Payroll (November 2017)

48.         Our opinion based on our audit work is that the Payroll service has Sound controls in place to manage its risks and support achievement of its objectives. 

49.         Our testing established that Maidstone and Swale Borough Council’s mandatory payroll deductions are correctly calculated and paid to HMRC and KCC, with suitable checks and documentation in place to substantiate the payments made.  However, at Swale, the payment is sometimes approved by an officer without delegated authority.  This is the case for the main payroll, the IR35 and Elections payrolls.  Income Tax, National Insurance and Pension rate parameters are correct in iTrent.

50.         Discretionary deductions are supported by relevant documentation and correctly made.  Payroll does not verify Student Loan payment plans. 

Priority 1 (Critical)

Priority 2 (High)

Priority 3 (Med)

Priority 4 (Low)

Advisory

0

0

2

0

0

51.         The service has now acted to implement both recommendations, so this report is closed.

V: Local Land Charges (December 2017)

52.         Our opinion based on our audit work is that the service has Weak controls in place to manage its risks and support achievement of its objectives. 

53.         There is a well-defined and effective process followed for the administration and processing of requests for Land Charges information. However, we found weaknesses in the process for receiving and recording income. In particular, weaknesses over cheque payments and self-billing accounts meant that we were unable to fully account for all of the payments that we tested.  Furthermore, reconciliations are not currently performed and so variances between the Land Charges system and the Councils general ledgers are not identified and addressed. We were unable to reconcile income through our testing. While the variance in the reconciliation is not material our overall conclusion based on these findings is that the financial controls are not operating effectively.

54.         Our testing of the Land Charge register identified risks with regards to completeness and accuracy. However, as the information on the register is provided by other services, a joined up approach with all services will be needed in order to improve reliance of the data.

Priority 1 (Critical)

Priority 2 (High)

Priority 3 (Med)

Priority 4 (Low)

Advisory

0

1

5

0

0

 

55.         Since completing the review, the Council has acted to fulfil recommendations in line with the agreed timetable.  At year end four of the six are complete, with the remaining two falling due early in 2018/19. We will revisit the action later in 2018.

VI: Business Terrace (December 2017)

56.         Our opinion based on our audit work is the Business Terrace has Sound controls in place to manage its risks and support achievement of its objectives. 

57.         Our findings show the Business Terrace works well towards achieving its objectives on offering a supportive environment for start up businesses. Demand for office space is strong and occupancy is at 100%.

58.         The Business Terrace has been successful in helping start up businesses grow. This has resulted in expansion including premium office space. The service is also seeking extra space to house growing businesses.

59.         However we identified some improvements necessary to back office procedures.  These include ensuring full recording of bookings and documenting its income reconciliation and debt collection.

Priority 1 (Critical)

Priority 2 (High)

Priority 3 (Med)

Priority 4 (Low)

Advisory

0

0

3

4

3

60.         Since completing the review, the Council has acted to fulfil recommendations in line with the agreed timetable.  At year end two of the seven are complete, with the remaining five due early in 2018/19. We will revisit the action later in 2018.

VII: Subsidiary Company Governance (December 2017)

61.         While completing this review we note the Company currently has only a limited role, with turnover barely above £100,000 a year and no direct asset ownership.  Given this limited role we accepted management’s view that materiality of the Company within the overall control environment did not merit an assurance rated report.  Therefore we offer this report without an assurance rating.

62.         However, we note management have nonetheless agreed to carry out the agreed recommendations and will do so before the Company becomes material.

63.         The Council has not clearly settled its subsidiary company as a distinct entity, or clarified its role.  This means the Council risks failing to realise the benefits it hopes to achieve by arranging its affairs like this.  We found a lack of clarity in staff roles between the company and Council, both in appointment and compensation.  There is a lack of clarity about when individuals act for the Company or the Council.  Therefore we cannot easily assess if the arrangement delivers value and works effectively.

64.         Lines of reporting to oversee the Company are also unclear.  The company does not provide the performance information demanded by its founding agreements.  However, the Council does not seek the information either. This is an example of our overall finding that the Council is yet to set up clear and independent governance allowing it to oversee the Company.

Priority 1 (Critical)

Priority 2 (High)

Priority 3 (Med)

Priority 4 (Low)

Advisory

0

3

1

1

2

 

65.         At year end three of five are complete, with the remaining two (one medium and one high priority) recommendations deferred. We will revisit these actions later in 2018.

VIII: Procurement (January 2018)

66.         Our opinion based on our audit work is the Procurement controls in the Council offer only Weak assurance.  This means that they require further support to work with consistent efficacy across the Council. 

67.         The Council has a solid and comprehensive set of Contract Standing Orders.  The Council’s procurement team stick closely to these rules. As confirmed by our testing, they conduct major buying exercises in full conformance supported by procedures and template documents.

68.         However, the team’s role extends only to major (£75k+) procurements with a seldom used advisory role elsewhere.  This means a significant part of the Council’s spend, over £6m a year, happens without reference to the central team.  Our testing found widespread lack of conformance in the wider Council arising from both limited awareness and, sometimes, a conscious choice not to apply the rules.  This exposes the Council to significant risk of not achieving best value and limits its ability to ensure proper conduct.  The Council should look to provide training and institute compliance checks to address these risks.

Priority 1 (Critical)

Priority 2 (High)

Priority 3 (Med)

Priority 4 (Low)

Advisory

0

2

0

2

1

69.         Since completing the review, the Council has acted to fulfil one recommendation in line with the agreed timetable. If the Council has followed the agreed timetable, all actions will have been completed by mid 2018.

IX: Home Assistance Grants (February 2018)

70.         Our opinion based on our audit work is that the Housing and Inclusion Team has Sound controls in place to effectively administer Home Assistance Grants. 

71.         The Council has effective and embedded procedures for the processing of applications. The existing arrangements ensure that awards are made accurately and in accordance with the Housing Grants, Construction and Regeneration Act 1996 and Council’s Housing Assistance Policy 2016 – 2020.

72.         Having recently transitioned from M3 to the Uniform system to administer and record grants, our testing confirmed that the quality and utilisation of digital processes provide a good standard of record keeping.

73.         Our testing confirmed that procedures are consistently operating as intended, and that controls are in place to effectively manage the associated risks. However we did identify areas for potential improvement with regards to notifications when a grant has been paid.

Priority 1 (Critical)

Priority 2 (High)

Priority 3 (Med)

Priority 4 (Low)

Advisory

0

0

0

2

0

74.         Since completing the review, the Council has acted to fulfil recommendations in line with the agreed timetable.  At year end all recommendations are complete.

X: Accounts Receivable (March 2018)

75.         Our opinion based on our audit work is that the Accounts Receivable service has Weak controls in place to manage its debt recovery and write off processes.

76.         Our review found only minor changes to the Accounts Receivable system since we reviewed it in January 2016. These changes have not affected the overall effective design and operation of the system as a whole.

77.         Our detailed testing for this audit concentrated on the recovery process for unpaid debts. We found that the full extent of the recovery policy and procedures are not being adopted and followed. Reminders are being issued, however, after this stage further recovery action is not being taken. This issue was raised in a previous audit in 2015/16, and although management action was taken to help address the issue, little progress has been made to improve the recovery rate for debts. 

78.         We acknowledge that there has recently been a change of personnel in the Finance team which has enabled additional resources to be allocated to recovery. While this has allowed the team to begin taking further recovery action, the results of these actions on the reduction of debts is yet to be determined.

79.         We found from our testing, that the writing off of those debts deemed irrecoverable, is appropriately evidenced and approved in accordance with the Council’s Financial Procedure Rules.

Priority 1 (Critical)

Priority 2 (High)

Priority 3 (Med)

Priority 4 (Low)

Advisory

0

2

2

2

1

80.         Since completing the review, the Council has acted to fulfil recommendations ahead of the agreed timetable.  At year end two high priority recommendations are complete, with the remaining four due for completion by December 2018.

XI: Homelessness (March 2018)

81.         Our opinion based on our audit work is that the Housing Advice Service has Sound controls in place to manage its risks and support achievement of its objectives. 

82.         The controls over the processing and management of homeless applications are effective in both design and operation. All of the decisions tested during the review were supported by appropriate evidence to confirm the decision made.

83.         We established that support is being provided to vulnerable people and decision making is compliant with the Council’s Homelessness Strategy and legislation.  Performance of the service is widely reported, including to officers and members. However, we were unable to verify some of the performance indicator information reported to the Corporate Leadership Team.

84.         The Service is taking a proactive approach to prepare for the implementation of the Homelessness Reduction Act in April 2018. Our review of the implementation plan established actions are on track to be completed.

Priority 1 (Critical)

Priority 2 (High)

Priority 3 (Med)

Priority 4 (Low)

Advisory

0

0

0

2

2

85.         If the Council has followed the agreed timetable, both actions will have been completed by mid 2018.

XII: Food Safety (April 2018)

86.         Our opinion based on our audit work is that the Environmental Health service has Sound controls in place to manage its risks and support achievement of its objectives over the Food Safety function. 

87.         The audit confirmed the Council has a suite of effective and embedded procedures to ensure food hygiene inspections are handled in accordance with statutory requirements. These procedures are supported by templated documentation, which provides a structured and consistent approach to the work undertaken by the Food Safety team.

88.         Our testing established there is a consistent educative approach taken with regards to compliance and any identified issues are clearly explained to the food establishment operator along with any necessary corrective action. Where appropriate, these actions are followed-up accordingly.

89.         Our testing identified a number of minor issues where records had not been maintained or a full rationale for decision making had not been documented. In addition, there is opportunity for the service to make clearer the sanctions for establishments that register late. These issues were not systemic, and relate mainly to the tightening up of procedures; as such they do not present a risk that would undermine the overall effectiveness of the service.

Priority 1 (Critical)

Priority 2 (High)

Priority 3 (Med)

Priority 4 (Low)

Advisory

0

0

1

6

2

90.         Three recommendations fell due for action in early 2018/19, with the remaining recommendations falling due in mid 2018/19. We will revisit the actions later in 2018.

XIII: Emergency Planning (April 2018)

91.         Our opinion based on our audit work is that the Council has Sound controls in place for Emergency Planning arrangements.

92.         Our review concludes that the Council’s Emergency Planning arrangements are compliant with the Civil Contingencies Act 2004 and that the processes in place can be used to facilitate an effective response to an emergency event. However, we have identified some areas that require improvement in order to ensure that those processes operate consistently and suitably prepare the Council in the event of a major emergency.

93.         Recent handover of the Emergency Planning service provides an opportunity to more clearly define the roles and responsibilities for the service. This will enable the Council to better understand the resources needed  to effectively support the Emergency Planning function, including maintaining the administrative aspects of the process. We found that many of the individual incident response plans require review and update, and while there is an annual work plan and well-led working group in place to help implement improvements many of the due dates have passed.

94.         The Council is generally well-staffed for an emergency and key officers have undertaken sufficient training and are at the forefront of exercises. In the event of an emergency the Council has demonstrated that it is able to respond, but officers with more operational roles require more training as we identified lower levels of awareness of their roles through our testing.

Priority 1 (Critical)

Priority 2 (High)

Priority 3 (Med)

Priority 4 (Low)

Advisory

0

1

3

1

0

95.         All the recommendations fall due for action later in 2018/19.  If the Council follows the agreed timetable, all actions will be complete by September 2018.

XIV: Parking Income (April 2018)

96.         Our opinion based on our audit work is that Parking Services has Sound controls in place to manage its risks and support achievement of its objectives as they relate to the collection, reconciliation and banking of car parking income.

97.         Our testing at both Maidstone and Swale confirmed that cash due had reached the bank account and was properly recorded in financial records.  We also found sound controls in place for managing cashless parking income.

98.         However, procedures at Swale have some design weaknesses which could allow errors to go unrecognised.  We note some controls in place at Maidstone (such as system reconciliations) that could support prompt identification of errors.  At both councils, the success of controls relies heavily on availability of the Finance Officer.  We recommend identifying cover to provide resilience.

Priority 1 (Critical)

Priority 2 (High)

Priority 3 (Med)

Priority 4 (Low)

Advisory

0

0

6

0

1

99.         Three recommendations fell due for action in early 2018, with the remaining recommendations falling due by July 2018. We will revisit the actions later in 2018.

XV: Promotion & Marketing (May 2018)

100.     Our opinion based on our audit work is that there are Sound controls in place over the Council’s promotion and marketing activities.

101.     We found that the processes and procedures in place are generally well designed and operating effectively. Following the centralisation of all communications activities, we believe there are clear routes available for departments to request promotion and marketing work. The jobs are being completed in line with the Council’s new corporate branding guidelines, which we found to be compliant with the relevant legislation. The sign off system in place is adequate and the service is currently working to enhance the efficiency of the process. Some minor opportunities for improvement have been identified, particularly in regards to record keeping.

Priority 1 (Critical)

Priority 2 (High)

Priority 3 (Med)

Priority 4 (Low)

Advisory

0

0

0

4

1

102.     All the recommendations fall due for action later in 2018/19.  If the Council follows the agreed timetable, all actions will be complete by September 2018.

XVI: Insurance (May 2018)

103.     Our opinion based on our audit work is that there are Sound controls in place over the Council’s Insurance arrangements. 

104.     There are controls in place and operating to effectively manage the processes for tendering for a new insurance contract, handling renewals and in year additions to the policy.  Equally, there are processes in place which support the Council upholding its obligations in relation to the insurance policy. 

105.     The claim process is defined and operates well and the financial arrangements follow the Council’s financial procedure rules. Our testing identified some minor areas of improvement, specifically to ensure that claims where further information is needed are not unnecessarily delayed.

Priority 1 (Critical)

Priority 2 (High)

Priority 3 (Med)

Priority 4 (Low)

Advisory

0

0

0

2

0

 

106.     One recommendation fell due for action in mid 2018, with the remaining recommendation falling due for action later in 2018/19.  If the Council follows the agreed timetable, all actions will be complete by December 2018.

XVII: Legal Services (June 2018)

107.     Our opinion based on our audit work is that the Legal Services has Sound controls in place to manage its risks and support achievement of its objectives. 

108.     We found generally sound processes in place for administering case files and finances within Mid Kent Legal Services.  This includes an organised case management system – IKEN – as well as adherence to financial procedures to manage spending and budgets.

109.     However, the service must make significant improvements in two areas; retaining signed contracts and information supporting external invoices.  The service could locate only half of the contracts we requested in testing and fully support costings for only one of twelve invoices examined.

Priority 1 (Critical)

Priority 2 (High)

Priority 3 (Med)

Priority 4 (Low)

Advisory

0

2

2

3

0

110.     All the recommendations fall due for action later in 2018.  If the Council follows the agreed timetable, all actions will be complete by October 2018.

XVIII: Street Scene Provision (July 2018)

111.     Our opinion based on our audit work is that the Waste and Street Scene service has Sound controls in place to manage the Council’s street scene operations.

112.     The work completed by the Street Scene service is pivotal to one of the Council’s three strategic main priorities; providing a clean and safe environment.  We found operational controls within the service to be satisfactory to support the service’s efficient running.  We also found a dedication to improve its work, including a current review of some processes.

113.     However, in part because of the current review, we found gaps in record keeping. In particular we found it difficult to verify the service had acted in response to resident referrals in good time.  Improving this record keeping will be essential for the service to show its contribution to the Council’s priorities.

114.     If the Council fulfils recommendations in line with agreed timings, all actions will be in place by April 2019.

XIX: Member Training (July 2018)

115.     Our opinion based on our audit work is that Democratic Services has Sound controls in place to induct and training Members. Our assessment takes into consideration actions currently underway by the service to update processes for 2018/19, and so is reflective of the fact that any new controls put in place will need time to embed. 

116.     We found that the service had sound arrangements in place for producing and delivering the 2017/18 Member Development Training Plan. Courses were arranged and delivered in accordance with the plan, and training events were promoted and communicated to all Members. Further enhancements are planned in 2018/19, through the adoption of the LGA Member Development Charter which will enable Members to identify and manage their own development needs.

117.     The induction process for new members from the May 2018 election has recently been reviewed in consultation with members and officers. As part of this audit we reviewed the proposed changes and consider the planned process to be sound by design. We were however, unable to test how these arrangements will work in operation as they were implemented after we completed our review.

XX: HR Policy Compliance (July 2018)

118.     Our opinion based on our audit work is the Human Resource Service has Sound controls in place to ensure compliance with the three Council policies examined: Home and Mobile Working, Flexible Working and Disciplinary. 

119.     Our testing confirmed full conformance with the Flexible Working and Disciplinary Policies. Officers within the service keep good records to support decisions taken and provide satisfactory support to managers and employees.  We found some improvements needed on record keeping to show conformance with the Home & Mobile Working policy, in particular ensuring managers are aware of insurance requirements.

XXI: Complaints (July 2018)

120.     Our opinion based on our audit work is that Complaints Handling has Sound controls in place to manage its risks and support achievement of its objectives.

121.     The Complaints Policy is accessible to the public, complaints are dealt with in a timely manner and impartially. Complaints are fully investigated, responses are carefully considered and address the concerns of complainants. Performance targets are met and regularly reported to Senior Management.

122.     In order to fully comply with Local Government Ombudsman (LGO) guidance, the service needs to centrally log and report on complaint response outcomes. Furthermore, they need to ensure that service improvements prompted by complaints are implemented.

123.     Records need to be retained to demonstrate the correct application of the Unreasonable and Unreasonably Persistent contacts policy. This would ensure compliance with MBC policy and LGO guidance.

Priority 1 (Critical)

Priority 2 (High)

Priority 3 (Med)

Priority 4 (Low)

Advisory

0

0

3

5

0

 

XXII: Contract Management (Interim Findings)

124.     The contract management (CM) audit is underway with some further testing outstanding.  However, given standing interest in CM, we provide a summary of the preliminary findings from our work.

125.     We have found a lack of clarity among officers on when a contract should be in place.  The Council has made progress on incorporating CM into its procurement to ensure CM receives early consideration.  However, this should be improved with further guidance.

126.     Officers do not routinely define performance in a way which sets out how they will measure and monitor results.  However, we found performance management working in practice with feedback to suppliers, and a good awareness of how to raise issues or problems.  We found less clarity among officers on results of poor performance.

127.     The Council should strengthen how it manages change in CM. This will help ensure continuity and corporate contract awareness.  Contract reviews happen typically only when approaching the end of a contract. We also found a lack of clarity around when to review contracts.

128.     We found some consideration of risk when entering contracts, especially where the arrangement needs Member approval.  In general we found good awareness of the risks and recognition the Council cannot fully transfer them to the contractor.  However, services do not consistently document risks nor complete routine reviews.

129.     We will complete the remaining work over the coming month and deliver a report explaining our findings in full to officers. We will include information on that report to Members within our interim report later this year. 


 

Following Up Actions

130.     Our approach to recommendations is that we follow up each quarter, examining issues that fell due in the previous three months.  We take due dates from the action plan agreed with management when we finish our reporting.  We report progress on implementation to Corporate Leadership Team (CLT) each quarter. This includes noting any matters of continuing concern and where we have revisited an assurance rating (typically after action on key recommendations).

131.     We summarise in the chart below the current position.  The chart shows low priority recommendations (at the foot of each bar) in green, medium priority in amber and high priority (at the top of each bar) in red.

132.     Overall we are content with officers’ progress on acting to address issues we raise in our reviews.  Although we receive periodic requests from officers to defer action, in each case we are content that delays pose no heightened risk to the Council.


133.      

Corporate Governance

134.     Corporate governance is the rules, practices and processes that direct and control the Council. 

135.     We gain audit evidence to support the Head of Audit Opinion through completion of relevant reviews in the audit plan, as well as specific roles on key project and management groups.  We also consider matters brought to our attention by Members or staff through whistleblowing and the Council’s counter fraud and corruption arrangements.

136.     We also help in upholding good governance by providing advice and training to both officers and Members.

Counter Fraud & Corruption

137.     We consider counter fraud and corruption risks in all of our audit engagements when considering the effectiveness of control.  We also undertake distinct work at assess and support the Council’s arrangements.

Investigations

138.     During 2017/18 we have completed one investigation on a matter related to a potential identity theft which came to light when paying electoral support workers. We identified the matter was a genuine case of mistaken identity caused by a similarity in names and addresses and provided advice to the service.

139.     We completed a further investigation on potential fraudulent use of a post office box registered to the Council.  We found the use was genuine, but errors in addressing correspondence to the Council had caused unnecessary concern.

140.     We also completed one further investigation following information of alleged computer misuse brought to light by information provided by Mid Kent ICT.  We identified one breach at Maidstone which resulted in appropriate action against the individual.  We were satisfied there were no further breaches of policy at Maidstone, but fed back to Mid Kent ICT comments on the computer use policy that arose during our investigation.  These comments informed the recently published update to the Computer Use Policy.


 

Whistleblowing and money laundering

141.     The Council’s whistleblowing policy names internal audit as one route for Members and officers to safely raise concerns on inappropriate or even criminal behaviour.

142.     We have had one matter raised with us during the year.  We completed an investigation and agreed action with management that settled the concern raised by the whistleblower.

143.     We have also had no matters raised with us noting concerns that may indicate a breach of money laundering regulations.

National Fraud Initiative

144.     We continue to coordinate the Council’s response to the National Fraud Initiative (NFI).  NFI is a statutory data matching project and we must send in various forms of data to the Cabinet Office who manage the exercise.

145.     The Cabinet Office released the 2017 matches in January 2017 as reported to this Committee in June 2017.  Most matches (almost 90%) fall to the MKS Revenues & Benefits Compliance team to look into.  That team report separately.

146.     Of the remaining matches, the Cabinet Office marked 272 as “recommended”, around 30% of the total.  We have completed review of all recommended matches and noted three cases error. Two from matches involving the Housing Waiting List, one from Taxi Licensing data.  Identifying these three errors has saved £6,480.  We will examine a sample of the remaining matches aiming to reach an overall conclusion of the work within the two year window recommended by the Cabinet Office.

Counter Fraud Policy

147.     During 2017/18 we updated the Council’s Whistleblowing and Counter Fraud policies, with approval from this committee.

148.     The Cabinet Office confirmed in March that it plans to launch Counter Fraud Standards in July 2018.  Although these Standards will be mandatory only in central government, the Cabinet Office encourages the view that they will represent a good practice aspiration across the public sector. 

149.     Once the Cabinet Office publishes we will review the updated Counter Fraud and Whistleblowing Policies. We will review with a view to incorporating and reflecting the Cabinet Office standards as far as practical. 

Other Audit and Advice Work

150.     We also continue to undertake a broad range of special and scheduled consultancy and advice work for the Council.  Examples include our contributions to the Council’s Corporate and Information Governance groups and advising on possible approaches to delivering Housing Benefit certification.

151.     We remain engaged and flexible in seeking to meet the assurance needs of the Council. We are happy to discuss opportunities large and small where the Council can usefully employ the experience and expertise of the audit team.


 

Risk Management

Risk Management Update

152.     Risk management is how the Council identifies, quantifies and controls the risks it faces as it seeks to achieve its objectives.

153.     We gain evidence to support the Head of Audit Opinion through our role as having lead responsibility for risk management for the Council. We set out this role, with safeguards to our independence, in our audit charter.

154.     The Council set up its current risk management approach in July 2015. Since then, we have regularly reported key risk information to Officers and Members. Specifically, the Audit, Governance and Standards Committee will receive, to the same meeting as this report, its first Annual Risk Report which provides assurance over the effectiveness of the risk management process.

155.     The Annual Risk Report also provides further details of the Councils Corporate risks and the overall risk profile.  We consider both the Councils’ Corporate and Operational risks when undertaking our audit planning and as part of each audit engagement.

156.     We have continued to lead on the risk work for the Council. We will seek opportunities to improve the process through 2018/19, reporting progress to Members at Policy & Resources Committee and this Committee.

157.     We have a separate report on risk management elsewhere on this Committee’s agenda.


158.      

Audit Quality & Improvement

Standards and ethical compliance

159.     On 1 April 2017 the RIASS[2] published a changed set of Public Sector Internal Audit Standards (the “Standards”).  These updates made more than thirty changes and improvements, building on the recently published International Professional Practices Framework.

160.     All auditors working in the public sector (including, for instance, health and central government too) must work to these standards for 2017/18.  One specific change is the new demand to report to Senior Management and the Board (Audit Committee) on conformance with the Code of Ethics and the Standards.

161.     We included the Code of Ethics as an appendix to our interim report in December 2017.  We have included the Code within our Audit Manual and training for some years. We can report to Members we remain in conformance with the Code.

162.     On broader Standards conformance we must each year assess ourselves against those standards and report the results to Members.

163.     We underwent an external independent assessment from the IIA in 2014 which confirmed our full conformance with all but 6 of the standards and partial conformance to the rest.  In 2015, following action to fulfil the IIA’s recommendations, we achieved full conformance to the standards – the first English local authority audit service to be so assessed by the IIA.

164.     In 2018 we undertook a self-assessment against the Standards and confirm to Members we remain in full conformance.  We include a summary of that assessment on the next few pages:

 

Audit Management Software

165.     In March 2018 we decided to move from Audit Management Software called Teammate – which the partnership had used for more than a decade – to a new product called Pentana.  Aside from a significant annual saving, Pentana offers us significant opportunities in further developing the quality and consistency of our work and reporting.  Specific opportunities we are exploring include:

·         A greater range of standardised work programmes, allowing for more directed work and expanded audit universe coverage.

·         A clearer link to organisational structure, allowing for easier reporting to all levels of the council.

·         Greater consistency in recording audit findings, allowing for cross-authority reporting on themes or key issues.

·         Better and more organised information on risks and controls to allow clearer focus within individual projects.

·         The ability to capture consistently a broader range of information and work to help support our planning and reporting.

166.     As noted in the 2018/19 plan, we set aside some time to support familiarisation and training in the new software.  However, for 2019/20 onwards we also expect significant efficiencies from internal process improvements.

Training and Qualifications

167.     We continue to offer strong support to the audit team in continuing development and upholding professional competence.  In 2017/18 this involved providing individual training budgets and supporting people to follow avenues for development suitable for their career position and ambitions.

168.     A key but far from sole part of this approach is supporting professional qualifications.  During 2017/18 we supported almost half the team through professional studies and remain pleased with their progress and success.  We would like to highlight:

·         Russell Heppleston, Deputy Head of Audit Partnership, achieved the full professional qualification of the Institute of Risk Management.

·         Jen Warrillow, Senior Auditor, completed the first of three case studies towards becoming a Chartered Member of the Institute of Internal Audit (IIA).

·         Ben Davis, Trainee Auditor, completed the full professional qualification of the Chartered Institute of Public Finance and Accounting (CIPFA).

·         Andy Billingham, Auditor, and Louise Taylor, Trainee Auditor, both completed the first of three stages in the Certificate of Internal Audit (CIA) qualification awarded by the IIA.

169.     We have also taken the lead in arranging training across regional audit groups as a way of maximising efficiency and tailoring content for local needs.  During 2017/18 this included hosting a CIPFA training event attended by auditors across Kent on the basics of counter fraud investigation and legislation.  During 2018/19 we will work with the London Audit Group in developing training aimed at helping auditors work towards management roles.

Performance Indicators

170.     Aside from the progress against our audit plan we also report against some specific performance measures designed to oversee the quality of service we deliver to partner authorities.  We have monthly update meetings with management to discuss service performance and audit results.

171.     Note that all figures are for performance across the Partnership.  Given how closely we work together as one team, as well as the fact we examine services shared across authorities, it is not practical to present authority by authority data.  

Measure

2014/15 Results

2015/16 Results

2016/17 Results

2017/18 Results

Cost per audit day

Met target

Met target

èç

Beat target

é

Beat target

é

% projects completed within budgeted number of days

47%

60%

é

71%

é

78%

é

% of chargeable days

75%

63%

ê

74%

é

74%

èç

Full PSIAS conformance

56/56

56/56

èç

56/56

èç

58/58

èç

Audit projects completed within agreed deadlines

41%

76%

é

81%

é

87%

é

% draft reports within ten days of fieldwork concluding

56%

68%

é

71%

é

80%

é

Satisfaction with assurance

100%

100%

èç

100%

èç

100%

èç

Final reports presented within 5 days of closing meeting

89%

92%

é

94%

é

96%

é

Respondents satisfied with auditor conduct

100%

100%

èç

100%

èç

100%

èç

Recommendations fulfilled as agreed

95%

98%

é

98%

èç

97%

èç

Exam success

100%

100%

èç

85%

ê

85%

èç

Respondents satisfied with auditor skill

100%

100%

èç

100%

èç

100%

èç

 

172.     We note the continuing improvement in performance and productivity in our project reviews, while keeping high levels of satisfaction with the service. 

173.     While we seek comments from a broad range of sources, the driver for the satisfaction numbers is responses to the surveys we circulate with each final report.  For 2017/18 we received 42 completed survey responses, including 14 from Maidstone (including its shared services). This gives a response rate of just under two thirds, noting that a couple of surveys received multiple responses.  We continue working with audit sponsors, recognising the many draws on their time, developing ways to gain comments on our work.

Acknowledgements

174.     We achieve these results through the hard work and dedication of our team and the resilience that comes from working a shared service across four authorities.

175.     As a management team in Mid Kent Audit, we wish to send our public thanks to the team for their work through the year so far.

176.     We would also like to thank Managers, Officers and Members for their continued support as we complete our audit work during the year.


 

Annex 1: Assurance & Priority level definitions

Assurance Ratings 2017/18 (Unchanged from 2014/15)

Full Definition

Short Description

Strong – Controls within the service are well designed and operating as intended, exposing the service to no uncontrolled risk.  There will also often be elements of good practice or value for money efficiencies which may be instructive to other authorities.  Reports with this rating will have few, if any; recommendations and those will generally be priority 4.

Service/system is performing well

Sound – Controls within the service are generally well designed and operated but there are some opportunities for improvement, particularly with regard to efficiency or to address less significant uncontrolled operational risks.  Reports with this rating will have some priority 3 and 4 recommendations, and occasionally priority 2 recommendations where they do not speak to core elements of the service.

Service/system is operating effectively

WeakControls within the service have deficiencies in their design and/or operation that leave it exposed to uncontrolled operational risk and/or failure to achieve key service aims.  Reports with this rating will have mainly priority 2 and 3 recommendations which will often describe weaknesses with core elements of the service.

Service/system requires support to consistently operate effectively

Poor – Controls within the service are deficient to the extent that the service is exposed to actual failure or significant risk and these failures and risks are likely to affect the Council as a whole. Reports with this rating will have priority 1 and/or a range of priority 2 recommendations which, taken together, will or are preventing from achieving its core objectives.

Service/system is not operating effectively

 


Recommendation Ratings 2017/18 (unchanged from 2014/15)

Priority 1 (Critical) To address a finding which affects (negatively) the risk rating assigned to a Council strategic risk or seriously impairs its ability to achieve a key priority.  Priority 1 recommendations are likely to require immediate remedial action.  Priority 1 recommendations also describe actions the authority must take without delay.

Priority 2 (High) – To address a finding which impacts a strategic risk or key priority, which makes achievement of the Council’s aims more challenging but not necessarily cause severe impediment.  This would also normally be the priority assigned to recommendations that address a finding that the Council is in (actual or potential) breach of a legal responsibility, unless the consequences of non-compliance are severe. Priority 2 recommendations are likely to require remedial action at the next available opportunity, or as soon as is practical.  Priority 2 recommendations also describe actions the authority must take.

Priority 3 (Medium) – To address a finding where the Council is in (actual or potential) breach of its own policy or a less prominent legal responsibility but does not impact directly on a strategic risk or key priority.  There will often be mitigating controls that, at least to some extent, limit impact.  Priority 3 recommendations are likely to require remedial action within six months to a year.  Priority 3 recommendations describe actions the authority should take.

Priority 4 (Low) – To address a finding where the Council is in (actual or potential) breach of its own policy but no legal responsibility and where there is trivial, if any, impact on strategic risks or key priorities.  There will usually be mitigating controls to limit impact.  Priority 4 recommendations are likely to require remedial action within the year.  Priority 4 recommendations generally describe actions the authority could take.

Advisory – We will include in the report notes drawn from our experience across the partner authorities where the service has opportunities to improve.  These will be included for the service to consider and not be subject to formal follow up process.

 

 

 

 

 



[1] “Proper practices” are defined by CIPFA/SOLACE and set out in Delivering Good Governance in Local Government Framework (2016).

[2] Relevant Internal Audit Standards Setters: A group comprising CIPFA (Chartered Institute of Public Finance & Accountancy), the Department of Health, HM Treasury, the Northern Irish Department of Finance & Personnel and the Welsh and Scottish Governments.  The RIASS are advised by the Chartered Institute of Internal Audit (IIA) and the Internal Audit Standards Advisory Board (IASAB).



[i]  The front cover image is A Kent Landscape by David Shepherd (1931-2017).  Reproduced with kind permission of Maidstone Museum & Bentlif Art Gallery